1427 stories
·
0 followers

Elon Musk bought a gas turbine company

1 Share
It's likely to become a direct power source for SpaceXAI's data centers.

Read the whole story
Share this story
Delete

The case of the invalid function pointer when shutting down the display control panel

2 Shares

The number one crash in the display control panel looks like this:

rax=ffffffffc836d280 rbx=0000000000000001 rcx=0000000000030440
rdx=0000000000000002 rsi=0000000000030440 rdi=0000000080006011
rip=00007ffac835cd1e rsp=000000155e48e3f8 rbp=000000155e48e749
 r8=0000000000000000  r9=0000000000000000 r10=007fffffffe41b69
r11=00007df502390000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000002 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
ntdll!LdrpDispatchUserCallTarget+0xe:
00007fff`924acd1e mov     r11,qword ptr [r11+r10*8] ds:04007df5`0159db48=????????????????
0:000> k
Call Site
ntdll!LdrpDispatchUserCallTarget+0xe
user32!UserCallWinProcCheckWow+0x2bd
user32!DispatchClientMessage+0x9c
user32!__fnDWORD+0x33
ntdll!KiUserCallbackDispatcherContinue
win32u!ZwUserDestroyWindow+0x14
comctl32!_RealPropertySheet+0x36d
comctl32!_PropertySheet+0x47
Display!PropertySheetW+0x5d
Display!AdvancedSettingSheetHelper+0x3be
Display!ShowAdapterSettings+0x89
rundll32!CallRunDllFunction+0x1c
rundll32!wWinMain+0x2bf
rundll32!__wmainCRTStartup+0x1c9
kernel32!BaseThreadInitThunk+0x14
ntdll!RtlUserThreadStart+0x21

From the stack, we see that we have a display adapter settings property sheet. We are destroying it, and we crash trying to validate the window procedure address.

We saw some time ago that you can pull out the bad address by inspection.

0:000> u .-e .
ntdll!LdrpDispatchUserCallTarget:
00007fff`924acd10 mov     r11,qword ptr [ntdll+0x001813a8]
00007fff`924acd17 mov     r10,rax
00007fff`924acd1a shr     r10,9
00007fff`924acd1e mov     r11,qword ptr [r11+r10*8]

The register that is the source of the shift is rax, so that’s the function pointer. And from the register dump, we see that the address is

rax=ffffffffc836d280

Yeah, that address doesn’t look like a valid function pointer.

On 64-bit systems, user-mode pointers have low addresses (which start with 0000), and kernel-mode pointers have high addresses (which start with ffff). So this function pointer is clearly invalid for user mode.

Maybe we can fix it so it’s valid again. Let’s see what code addresses are valid in this process.

0:000> lm
start             end                 module name
00000001`80000000 00000001`80043000   contoso
00007ff6`44570000 00007ff6`44587000   rundll32
00007fff`6a4f0000 00007fff`6a6b7000   d3d9
00007fff`6e600000 00007fff`6e6a9000   comctl32_7fff6e600000
00007fff`6f5d0000 00007fff`6f5e5000   pcacli
00007fff`753b0000 00007fff`753c1000   sfc_os
...
00007fff`91020000 00007fff`910f0000   comdlg32
00007fff`912b0000 00007fff`915e6000   combase
00007fff`91600000 00007fff`91794000   user32
00007fff`917a0000 00007fff`91852000   kernel32
00007fff`918e0000 00007fff`91989000   SHCore
00007fff`91990000 00007fff`91ae6000   ole32
00007fff`91af0000 00007fff`91b16000   gdi32
00007fff`91b20000 00007fff`91bc3000   advapi32
00007fff`91bd0000 00007fff`91c67000   sechost
00007fff`91c70000 00007fff`91cc2000   shlwapi
00007fff`91cd0000 00007fff`91ced000   imagehlp
00007fff`91d50000 00007fff`921c0000   setupapi
00007fff`92220000 00007fff`92355000   msctf
00007fff`92420000 00007fff`92610000   ntdll
...

Ny suspicion is that the function pointer got truncated to a 32-bit value, and then was sign-extended back up to a 64-bit value. So we are looking for valid function pointers of the form xxxxxxxx`924bbde0. In the above list of valid code addresses, the only ones that have the lower bits in the 92xxxxxx range all have a high 32 bits of 00007fff, so let’s plug that in and see if we get a window procedure.

0:000> ln 7fff924bbde0
(00007fff`924bbde0)   ntdll!NtdllButtonWndProc_A   |  (00007fff`924bbdf0)   ntdll!NtdllButtonWndProc_W

Jackpot.

So the caller probably subclassed a window, and then tried to restore the original window procedure, but messed up and restored only the bottom 32 bits.

But who could that be?

0:000> k
Call Site
ntdll!LdrpICallHandler+0xf
ntdll!RtlpExecuteHandlerForException+0xf
ntdll!RtlDispatchException+0x219
ntdll!KiUserExceptionDispatch+0x2e
ntdll!LdrpDispatchUserCallTarget+0xe
user32!UserCallWinProcCheckWow+0x2bd
user32!DispatchClientMessage+0x9c
user32!__fnDWORD+0x33
ntdll!KiUserCallbackDispatcherContinue
win32u!ZwUserDestroyWindow+0x14
comctl32!_RealPropertySheet+0x36d
comctl32!_PropertySheet+0x47
Display!PropertySheetW+0x5d
Display!AdvancedSettingSheetHelper+0x3be
Display!ShowAdapterSettings+0x89
rundll32!CallRunDllFunction+0x1c
rundll32!wWinMain+0x2bf
rundll32!__wmainCRTStartup+0x1c9
kernel32!BaseThreadInitThunk+0x14
ntdll!RtlUserThreadStart+0x21

This is a property sheet, so we should be able to extract the pages of the property sheet. (Note: Requires internal Microsoft symbols, so you won’t be able to do this at home.)

0:000> .frame d
09 00000017`85a7e820 00007fff`86e60349 Display!AdvancedSettingSheetHelper+0x3be
0:000> dv
     hwndParent = <value unavailable>
            psh = struct _PROPSHEETHEADERW_V2
      szMonitor = wchar_t [140] "Generic PnP Monitor"
         rPages = struct _PSP *[100]
        iResult = 0n0

The desktop background control panel is extensible, and the way that a plug-in adds a page to the desktop background control panel is by handling the IShellPropSheetExt::AddPages method and calling the provided “page adding function” with a HPROPSHEETPAGE. What that function does is add the HPROPSHEETPAGE to the pages in the property sheet. (We can see that there’s room for 100 of them in the rPages.)

And the psh is the PROPSHEETHEADER.

0:000> ?? psh
struct _PROPSHEETHEADERW_V2
   +0x000 dwSize           : 0x60
   +0x004 dwFlags          : 0x2000001
   +0x008 hwndParent       : 0x00000000`000401aa HWND__
   +0x010 hInstance        : 0x00007fff`86e50000 HINSTANCE__
   +0x018 hIcon            : (null)
   +0x020 pszCaption       : 0x00000017`85a7f100  "Generic PnP Monitor and Contoso Chipset"
   +0x028 nPages           : 4
   +0x030 nStartPage       : 0
   +0x038 ppsp             : 0x00000017`85a7ec70 _PROPSHEETPAGEW
   +0x038 phpage           : 0x00000017`85a7ec70  -> 0x000001d5`4e1aac90 _PSP

We see that there are four pages, so we can inspect the first four HPROPSHEETPAGEs in rPages.

And hey look, we have an array of HPROPSHEETPAGE structures

0:000> ?? psh.phpage[0]
struct _PSP * 0x000001d5`4e1aac90
0:000> ?? psh.phpage[1]
struct _PSP * 0x000001d5`4e19e470
0:000> ?? psh.phpage[2]
struct _PSP * 0x000001d5`4e19e520
0:000> ?? psh.phpage[3]
struct _PSP * 0x000001d5`4e1d26d0

The HPROPSHEETPAGE is an opaque structure, but we can dump it and look for interesting things, for entertainment purposes only.

0:000> dps 0x000001d5`4e1aac90 l4
000001d5`4e1aac90  000001d5`4e1aac60
000001d5`4e1aac98  00000000`00000000
000001d5`4e1aaca0  00004088`00000068
000001d5`4e1aaca8  00007fff`88d70000 deskadp
0:000> dps 0x000001d5`4e19e470 l4
000001d5`4e19e470  000001d5`4e19e440
000001d5`4e19e478  00000000`00000000
000001d5`4e19e480  00004088`00000068
000001d5`4e19e488  00007fff`893e0000 deskmon
0:000> dps 0x000001d5`4e19e520 l4
000001d5`4e19e520  000001d5`4e19e4f0
000001d5`4e19e528  00000000`00000000
000001d5`4e19e530  000040c8`00000068
000001d5`4e19e538  00007fff`86e30000 colorui
0:000> dps 0x000001d5`4e1d26d0 l4
000001d5`4e1d26d0  000001d5`4e1bcb30
000001d5`4e1d26d8  000001d5`4e1d26a0
000001d5`4e1d26e0  0000008a`00000068
000001d5`4e1d26e8  00000001`80000000 contoso

There are a bunch of HMODULEs here, which are probably the modules that the property sheet page came from. The first three come with Windows. The last one apparently is Contoso. Let’s focus on at last one.

After the first two values (which look like pointers), we have 0x00000068 which is not-coincidentally sizeof(PROPSHEETPAGE), so I’m going to guess that this is where the system stores the PROPSHEETPAGE that the handle was created from.

Note: Note that this is an implementation detail and should be used only for debugging purposes. Please don’t write programs that rely on this, because it can change.¹

0:000> dt comctl32!_PROPSHEETPAGEW  000001d5`4e1d26e0
   +0x000 dwSize           : 0x68
   +0x004 dwFlags          : 0x8a
   +0x008 hInstance        : 0x00000001`80000000 HINSTANCE__
   +0x010 pszTemplate      : 0x00000000`00000589  "--- memory read error at address 0x00000000`00000589 ---"
   +0x010 pResource        : 0x00000000`00000589 DLGTEMPLATE
   +0x018 hIcon            : 0x00000000`000503b9 HICON__
   +0x018 pszIcon          : 0x00000000`000503b9  "--- memory read error at address 0x00000000`000503b9 ---"
   +0x020 pszTitle         : 0x000001d5`4e19cde0  "?????"
   +0x028 pfnDlgProc       : 0x00000001`800047ac contoso+0x47ac
   +0x030 lParam           : 0n2015682301296
   +0x038 pfnCallback      : (null)
   +0x040 pcRefParent      : (null)
   +0x048 pszHeaderTitle   : (null)
   +0x050 pszHeaderSubTitle : (null)
   +0x058 hActCtx          : (null)
   +0x060 hbmHeader        : (null)
   +0x060 pszbmHeader      : (null)

The dialog procedure is 0x00000001`800047ac. I’m hoping I can reverse-engineer it enough to see the place where it subclassed the button incorrectly.

00000001`800047ac mov     [rsp+8],rbx
00000001`800047b1 mov     [rsp+10h],rbp
00000001`800047b6 mov     [rsp+18h],rsi
00000001`800047bb push    rdi
00000001`800047bc sub     rsp,30h
00000001`800047c0 mov     rdi,r9                ; rdi = r9 = lParam
00000001`800047c3 mov     rbp,r8                ; rbp = r8 = wParam
00000001`800047c6 mov     esi,edx               ; esi = edx = message
00000001`800047c8 mov     rbx,rcx               ; rbx = rcx = hdlg
00000001`800047cb cmp     edx,110h              ; Q: WM_INITDIALOG?
00000001`800047d1 jne     00000001`800047e2     ; N: Skip
00000001`800047d3 mov     r8,[r9+30h]           ; Y: r8 = ((PROPSHEETPAGE*)r9)->lParam
00000001`800047d7 mov     edx,0FFFFFFEBh        ; edx = -21
                                                ; ecx = hdlg (unchanged)
00000001`800047dc call    [00000001`8002b4a0]   ; mystery function 1

00000001`800047e2 mov     edx,0FFFFFFEBh        ; edx = -21
00000001`800047e7 mov     rcx,rbx               ; rcx = hdlg
00000001`800047ea call    [00000001`8002b480]   ; mystery function 2
00000001`800047f0 test    rax,rax               ; Q: Failed?
00000001`800047f3 je      00000001`8000480b     ; Y: Bail out
00000001`800047f5 mov     r9,rbp                ; param4 = wParam
00000001`800047f8 mov     r8d,esi               ; param3 = message
00000001`800047fb mov     rdx,rbx               ; param2 = hdlg
00000001`800047fe mov     rcx,rax               ; param1 = from mystery function 2
00000001`80004801 mov     [rsp+20h],rdi         ; param5 = lParam
00000001`80004806 call    00000001`800045fc     ; mystery function 3
00000001`8000480b mov     rbx,[rsp+40h]         ; restore registers
00000001`80004810 mov     rbp,[rsp+48h]
00000001`80004815 mov     rsi,[rsp+50h]
00000001`8000481a add     rsp,30h
00000001`8000481e pop     rdi
00000001`8000481f ret                            ; done

We know that the lParam parameter to the WM_INIT­DIALOG message is the value passed as the “parameter” to functions like CreateDialogParam, and specifically for property sheets, it’s a pointer to a PROPSHEETPAGE. And we saw from the structure dump above that offset 0x30 is the lParam.

From the structure of this function, it’s clear that the magic value -21 is GWLP_USERDATA, mystery function 1 is SetWindowLongPtr, and mystery function 2 is GetWindowLongPtr. This is a standard pattern for dialog box functions, and it’s common to use a wrapper function.

The real dialog procedure is the third mystery function, so let’s look at that.

00000001`800045fc mov     [rsp+8],rbx
00000001`80004601 mov     [rsp+10h],rbp
00000001`80004606 mov     [rsp+18h],rsi
00000001`8000460b push    rdi
00000001`8000460c push    r12
00000001`8000460e push    r13
00000001`80004610 sub     rsp,20h
00000001`80004614 mov     rsi,[rsp+60h]     ; rsi = lParam
00000001`80004619 mov     rbp,r9            ; rbp = wParam
00000001`8000461c mov     ebx,r8d           ; ebx = message
00000001`8000461f mov     r13,rdx           ; r13 = hdlg
00000001`80004622 mov     rdi,rcx           ; rdi = this
00000001`80004625 cmp     r8d,2Bh           ; Q: WM_DRAWITEM?
00000001`80004629 jne     00000001`80004685 ; N: Skip

After the initial register spilling and saving, it checks if the message is 0x2B: WM_DRAWITEM. That’s not particularly interesting to us, so let’s assume it’s not.

00000001`80004685 sub     ebx,2             ; Q: WM_DESTROY?
00000001`80004688 je      00000001`8000470f

Ooh, the WM_DESTROY message is interesting. It’s probably going to restore the original window procedure in its WM_DESTROY handler, and that’s where we hope to find the truncation.

00000001`8000470f mov     rcx,[rdi+110h]        ; rcx = something
00000001`80004716 movsxd  rbx,dword ptr [00000001`80039c50] ; rbx = something
00000001`8000471d mov     edx,668h              ; ecx = some number
00000001`80004722 call    [00000001`8002b4e0]   ; mystery function 4
00000001`80004728 mov     r8,rbx                ; r8 = something
00000001`8000472b mov     edx,0FFFFFFFCh        ; edx = -12
00000001`80004730 mov     rcx,rax               ; rcx = function 4 retval
00000001`80004733 call    [00000001`8002b4a0]   ; mystery function 1 again

On receipt of the WM_DESTROY message, the code starts by getting something out of the this pointer (which we saw in the prologue was saved in rdi), and loads some other thing from a global variable.

Next, it calls mystery function 00000001`8002b4e0 with 0x668 as the second parameter. Not sure what that is, but we’ll keep it in mind.

Next, we set up for another function call, and this one we recognize: 00000001`8002b4a0 is the import address table entry for SetWindowLongPtr. We saw it in the static dialog procedure.

The parameters are the window handle that was obtained from mystery function 4, the constant -12, and the 32-bit value we loaded from 00000001`80039c50. The mystery function 4 was probably Get­Dlg­Item. And since we figured out that the function being called is SetWindowLongPtr, the value -12 is GWLP_WNDPROC.

The value being set is the third parameter, which was loaded by movsxd dword ptr, which is a 32-bit to 64-bit sign-extended load. This is a problem because the window procedure is a 64-bit value.

I bet they loaded the value incorrectly.

0:000> dp 00000001`80039c50 l1
00000001`80039c50  00007fff`924bbde0

Hey look, it’s the full 64-bit pointer we were supposed to have used, except we messed up and truncated the pointer.

The C++ source code probably looked like this:

SetWindowLongPtr(GetDlgItem(m_hdlg, 0x668),
    GWLP_WNDPROC, (LONG)g_originalWndProc);

The cast to LONG is what’s doing the truncation and sign extension. It should be a cast to LONG_PTR.

We can patch this into the binary after looking at the processor instruction encoding documentation.

The original instruction was

00000001`80004716 48631d33550300  movsxd  rbx,dword ptr [00000001`80039c50]

The documentation says that the encoding for movxsd r64, r/m32 is “REX.W + 63 /r”.

What we want is mov rbx, [00000001`80039c50], and the documentation says that the encoding for mov r64, r/m64 is “REX.W + 8B /r”.

So let’s patch the 63 to 8b.

0:000> eb 00000001`80004717 8b
0:000> u 00000001`80004716 l1
00000001`80004716 488b1d33550300  mov     rbx,qword ptr [00000001`80039c50]

This is literally a one-byte bug fix.

Next time, we’ll speculate on how this bug arose.

Bonus reading: The decoy control panel.

¹ Back in the late 1990’s, we discovered a program that reverse-engineered the internal data structures of the Windows 95 property sheet manager to the point where instead of passing an HPROPSHEETPAGE that was created by the Create­Property­Sheet­Page function, it created fake HPROPSHEETPAGEs that it had constructed manually in memory. This made adding support for Unicode property sheets that much harder because the internal structure of HPROPSHEETPAGEs changed in order to support both ANSI and Unicode property sheet pages, and they were passing the old version. The property sheet manager has to recognize that it is being given a fake HPROPSHEETPAGE and convert it on the fly to a real one.

The post The case of the invalid function pointer when shutting down the display control panel appeared first on The Old New Thing.

Read the whole story
Share this story
Delete

Colorado will decide whether a "right to natural gas" is added to state constitution

1 Share

A ballot measure written by a conservative nonprofit could amend the Colorado Constitution to enshrine fossil fuel companies’ right to sell methane gas and possibly force communities that have tried to eliminate gas appliances from new construction to back away from those efforts.

Advance Colorado, which wrote the measure and led the effort to gather enough signatures to add the measure to the ballot, submitted its petition on June 25 to put Initiative 177, the “Right to Natural Gas,” to voters in November’s state election.

The broad language of the measure—only 60 words in total—makes it difficult to predict how state agencies would implement it if it passes, and many people worry the amendment would endanger Colorado’s ability to reach its climate goals.

The proposed amendment states that “producers and utilities have the right to sell natural gas to homes and businesses.” That could force changes to building codes that encourage electric heating and cooking, undoing progress toward electrification.

“Really, it’s just a cynical attempt to lock fossil fuel industry profits into the state constitution,” said Kelly Nordini, CEO of Conservation Colorado, an environmental nonprofit. “That’s bad for people’s pocketbooks, for clean air, for clean water; it has no provisions for public health or safety.”

The ballot measure faced pushback earlier this year from House Democrats and Conservation Colorado. House Democrats proposed a bill that would have preemptively placed protections for public health and safety on the right to natural gas amendment. However, House Republicans ran out the clock on the bill during the final day of the legislative session, preventing it from being introduced.

Conservation Colorado initially filed four ballot initiatives for November’s state election in response to the amendment: three seeking to hold oil and gas companies liable for harm caused by their operations, and one to stop utilities from raising rates to pay for natural gas infrastructure expansion. The organization later decided not to pursue these initiatives to focus on opposing the right to natural gas measure.

Advance Colorado did not respond to requests for comment. However, in a report published in April, they argued that “burdensome” regulation places hidden costs on consumers and calls on the state to protect the right to energy choice. The report said that efforts toward decarbonization and electrification—key pillars of the state’s efforts to confront climate change—“would have a devastating impact on Colorado.”

Legislators and industry groups in other states have pursued similar actions to prevent the transition away from domestic methane gas use. From 2020 to 2024, 26 states passed preemptive bans on policies that required the states to transition away from methane gas use. For example, in 2021, Utah enacted a law banning restrictions on connections to gas utilities.

While the right to natural gas measure in Colorado has similar motivations to actions taken in other states, it takes a unique approach.

“We’re in uncharted terrain,” said Michael Burger, executive director of the Sabin Center for Climate Change Law at Columbia University. “This would be the first constitutional amendment to provide a right to a particular fossil fuel.” A constitutional amendment would trump most legislation seeking to limit the use of methane gas, while the laws in other parts of the country don’t have the same power.

Colorado’s ballot measure is also unique in its breadth: the language contains no caveats, explanations or provisions for public safety. “It doesn’t reflect the sort of thorough public engagement and decision making, and the application of technical expertise which typically you would want when making these kinds of decisions,” said Burger.

The decision to pursue the policy as a ballot measure also reflects a larger trend in Colorado politics. In recent years, citizen-initiated ballot measures have become the strategy of choice for conservatives in the state to pursue their policy priorities without going through the majority-blue legislature.

Ballot measures historically have been used to pursue policies that would struggle through an unsympathetic legislature. Colorado’s 2004 Renewable Portfolio Standard, which established the state’s first push towards renewable energy, succeeded as a ballot measure when Republicans held a majority in the state government.

Voter turnout and engagement is low for local and state elections, especially for ballot issues, so financial backing can exert greater influence on the outcome. According to campaign finance disclosures, more than $1,000,000 was spent this year on signature collection for the right to natural gas initiative.

Over the last three years, Advance Colorado and other conservative nonprofits have spent more than $8.6 million on canvassing for ballot initiatives that Advance Colorado writes. Since 2023, four conservative nonprofits—Advance Colorado, Colorado Dawn, Defend Colorado and Common Sense America—have accounted for nearly all of the $10,000,000 of reported spending by citizens on ballot initiative canvassing in the state.

While Advance Colorado has deep pockets, it does not have to disclose its funders, which led Nordini to worry about the motivations behind the ballot measure.“Who’s funding that? Who’s behind this? Who stands to benefit?” she asked. “We have no idea.”

Oil and gas has historically held considerable political power in Colorado state politics. According to state lobbying disclosures, three oil and gas companies—Chevron, Civitas, and Kinder Morgan—collectively registered 21 lobbyists in the 2025 session, and industry groups registered at least another 16. The state’s three largest employers—the University of Colorado, Denver International Airport and Walmart—registered only eight total in the same year.

In 2023, Civitas, the American Petroleum Institute, and the Colorado Oil and Gas Association lobbied to support HB23-1127 “Customer’s Right To Use Energy”—a proposed bill very similar to the right to natural gas amendment. The bill, which failed in committee, also would have prohibited local building codes that limited the use of natural gas.

The right to natural gas measure arrives as the state pursues policies aimed at reducing carbon emissions from natural gas. Colorado currently generates around a third of its electricity from methane gas, and around 70 percent of the state’s homes use it for heating. In 2022, the Colorado Public Utilities Commission issued a rule requiring emissions from heating buildings to be cut by 41 percent by 2035.

The state relies on incentives to encourage homeowners to make energy efficiency upgrades in their homes. Rebates for switching to electric heat pumps, funded by the Inflation Reduction Act, were hugely popular with Coloradans—of the $31.89 million in funding released by the state in November 2025, only $3.5 million remains. Homeowners in the eastern half of the state reserved the four years’ worth of rebates available to them within six months.

Electric heat pumps emit less carbon than methane gas furnaces, even when methane gas powers the local electricity grid. They are more energy efficient, and as the grid incorporates more renewables, the emissions per unit of heat they generate goes down. Heat pumps can also lower utility bills, reduce indoor pollution and minimize the risk of carbon monoxide poisoning.

In the past five years, some municipalities in Colorado have adopted ambitious building codes that require heat pumps in new buildings to reduce carbon emissions. A 2022 policy in the City of Denver requires swapping methane gas furnaces for heat pumps whenever a home or commercial building needs a major repair to its heating system. The town of Crested Butte now requires new construction to be all-electric—that means no methane gas for heating, boilers, or cooking.

If Advance Colorado’s right to natural gas amendment passes in November, those building codes would likely need to change to maintain distributors’ ability to sell gas to homeowners and businesses.

The right to natural gas has to earn 55 percent of the vote to become part of the constitution, but it will face vocal opposition from environmental and progressive groups throughout the state. Conservation Colorado has submitted a campaign finance complaint alleging that Advance Colorado has failed to register an issue committee and disclose all expenditures related to the campaign.

Even though Advance Colorado gathered the signatures necessary to get the initiative on the November ballot, Nordini is optimistic that it won’t prevail in the election: “I think Colorado voters will see through this.”

This article originally appeared on Inside Climate News, a nonprofit, non-partisan news organization that covers climate, energy, and the environment. Sign up for their newsletter here.

Read full article

Comments



Read the whole story
Share this story
Delete

China, Russia and Others Seek To Inflame Debate Over AI Data Centers

1 Share
An anonymous reader quotes a report from The New York Times: A state-owned newspaper in China recently published a satellite image of a data center in Gainesville, Va., writing in English that the development of artificial intelligence posed a threat to Americans' physical and financial well-being. A comic strip made to look as if it had been published by a Maryland news outlet -- created with OpenAI's ChatGPT by people in China, the tech company said -- circulated on X this year, blaming data centers for soaring electricity bills. It showed a tycoon smoking a cigar and clutching bags of cash. A video shared on X by a known covert Russian influence operation questioned the viability of a data center that an American company, Firebird, is constructing in Armenia, the small Caucasus nation that has been a focus of Kremlin pressure. "The country's electrical grid instability may render it useless," the video's narrator says. All are examples of a push by foreign adversaries to seize on what polls have shown is deep ambivalence -- verging at times on hostility -- about the spread of the data centers needed to power A.I. in the United States and elsewhere. China, Russia and, to a lesser extent, Iran have sought to use state media outlets to turn the controversy over data centers in the United States into "a domestic fracture point," according to a new analysis by Alethea, a threat intelligence company, which identified scores of articles and posts on social media this year. These campaigns, whose impact on public opinion remains to be seen, have raised alarms in Washington, where A.I. is seen as a top issue heading into this year's midterm elections.

Read more of this story at Slashdot.

Read the whole story
Share this story
Delete

Semi-Trailer Trucks Test Converting Into Plug-In Hybrids

1 Share
Long-time Slashdot reader necro81 writes: There are several companies, such as Tesla, trying to make semi trucks fully electric. The capital cost for such a truck, and the MW-scale infrastructure to recharge it, may be a hard sell for some operators. [IEEE Spectrum notes that's a charging infrastructure "that most freight corridors do not yet reliably provide."] But some companies are instead adding batteries and an electric motor to the semi-trailers that trucks haul behind them. "The Nivalis Powered Trailer Kit centers on an electric axle [rated at 50 kilowatts-peak]... capable of both propulsion assistance and regenerative braking. It draws on a 60-kilowatt-hour, 400-volt lithium-ion battery pack charged from three sources: the axle itself during braking and deceleration, a full-rooftop array of photovoltaic panels generating up to 3.7 kilowatts-peak, and a 32-amp, three-phase AC grid connection available during parking stops." This approach is more akin to a plug-in hybrid: the truck may still be diesel-powered, but the electric assist from the trailer allows the truck to run more efficiently. Replacing diesel with kWh can save operators money while also reducing emissions. This incremental approach may be more accessible and less capital-intensive than replacing the truck itself. From the article: The driver's only window into the system is a small display readable from the cab's side mirror that shows the system status and battery charge level. Nothing about the trailer's handling or licensing requirements changes. The partners project savings of up to 7,000 liters of diesel per trailer per year, which is enough to keep about 19 tonnes of carbon dioxide out of the air... Trailer Dynamics, an Aachen-based company, has conducted field tests with BMW Logistics, DB Schenker, Duvenbeck, and Volkswagen Konzernlogistik, reporting average fuel savings of around 40% for diesel tractor combinations, substantially higher than the up to 18% reduction implied by the Nivalis projection... Trailer Dynamics prices its system between €145,000 and €195,000 and targets a payback period of no more than five years. Nivalis targets five to six years at current costs.

Read more of this story at Slashdot.

Read the whole story
Share this story
Delete

How Flock Cameras Wrongly Tracked a Journalist for Days, Then Sent Police to Arrest Him

1 Share
"Are you armed?!" the police officer screamed. "Get out of the car!" A writer for the car-news site The Drive describes how "a technological chain linking surveillance cameras, AI, and law enforcement... led to me and my wife being surrounded by police, hands on their guns, in a Kohl's parking lot in suburban Minnesota." After dropping off our Amazon returns, we'd just gotten back in the Range Rover and reversed maybe two feet out of the spot when four cop cars came flying out of nowhere and boxed us in... The Plymouth Police Department had been tracking me for days using Flock license plate cameras, waiting for the right moment to strike, because they thought I'd stolen the Range Rover. And the reason I was ID'd as a dangerous car thief was a simple data error made 2,000 miles away in California, creating an edge case within an edge case that Flock's AI camera network was unable to handle... "The plates on this car are stolen," Officer Ganshyn said... This made absolutely no sense. Car companies keep meticulous track of the fleets they loan out to the media. The vehicles all have special manufacturer or dealer plates that are logged every time one enters or exits... The New Jersey plates that were allegedly stolen from the LA dealer were 34 03 DTM, not 34 10 DTM. But when the police report was created and the plate was entered into Flock's system, it was just recorded as 34 DTM. Just the five large characters, no little number in the middle... Flock's AI tech wasn't registering that non-standard little number when it began picking up the Range Rover around town... I connected the final dot. A lot of vehicles in [Range Rover manufacturer] JLR's media fleet have a New Jersey manufacturer plate with the same alphanumeric structure — 34 ## DTM — and Officer Ganshyn observed that meant it was now a nationwide issue. Anywhere a police department has a partnership with Flock, any other JLR-owned car with the same plate structure is going to get flagged as stolen. In fact, four other 34 ## DTM cars were being tracked around Minnesota that week, according to Officer Ganshyn. I was just the first one to get nabbed. The only way to stop it would be for the LAPD to correct their initial report and update Flock's system, which Jaguar Land Rover was now racing to make happen following the phone call. Still, he warned me to drive straight home, park the Range Rover, and leave it there. If I were to cross into the neighboring town, I'd probably get flagged again and go through this entire ordeal again with a different set of officers. His parting words were ominous: "You're lucky we're in Plymouth. If you were in Minneapolis, they definitely would've come at you with guns drawn." Ironically, even the original license plate wasn't stolen either, the article points out. It was reported misplaced during a Los Angeles photo shoot, and "The corporation had to report the plate as lost to law enforcement," according to the police report — and even then, the plate "was reported as NJ 34DTM instead of NJ 3403DTM." The author's conclusion? "Once these systems have you in their crosshairs, there's pretty much only one way it can go... A simple data-entry error, magnified and broadcast nationwide by a growing surveillance network operated through an opaque partnership between a private company and public agencies, led police to identify me as a car thief and set up a sting to take me down. I mean, they even had a drone flying overhead during the 'bust'... "Thank God our kids weren't with us." Thanks to long-time Slashdot reader sinij for sharing the article.

Read more of this story at Slashdot.

Read the whole story
Share this story
Delete
Next Page of Stories